b'Fiscal Year 2005 Financial Statement Audit\n\n\nReport No. 06-01, November 15, 2005\n\x0c\x0cLetter to Management                                                                             Page 3\n\n                              Memorandum on Internal Control\nMaterial Weaknesses\n\nInformation Security\n\nDuring FY 2005, the OIG evaluated information security pursuant to the provisions\nof the Federal Information Security Management Act.1 Our review disclosed\ncontinued weaknesses in many areas of the RRB\xe2\x80\x99s information security program.\nSignificant deficiencies in program management and access controls make the\nagency\xe2\x80\x99s information security program a source of material weakness in internal\ncontrol.\n\nThe RRB has undertaken the job of strengthening information security and has\nimplemented many corrective actions recommended by the OIG and other technical\nspecialists. However, the agency has not completed the corrective action needed to\neliminate the previously reported deficiencies in training and access controls that\nwere the basis for the OIG\xe2\x80\x99s original finding of material weakness. In FY 2005, we\nreported that the RRB is experiencing difficulty in achieving an effective, FISMA\ncompliant security program and reported two new significant deficiencies resulting\nfrom delays in meeting FISMA requirements for risk assessments and periodic\ntesting and evaluation.\n\nPerformance Measures\n\nThe RRB needs to strengthen internal control over the measurement and\npresentation of performance measures reported pursuant to the Government\nPerformance and Results Act of 1993 (GPRA). GPRA requires Federal agencies to\nestablish program goals, measure performance and report annually on their\naccomplishments. OMB currently requires that these reports be published with\nagency financial statements as part of an integrated performance and accountability\nreport.\n\nExisting controls over the measurement of agency performance do not include\nverification of data generated by automated systems. As a result, the RRB has not\nadequately ensured that performance information presented as required\nsupplementary information has been recorded, processed, and summarized to\npermit preparation of performance information in accordance with management\xe2\x80\x99s\ncriteria.\n\nDuring FY 2005, the OIG performed detailed tests of two performance indicators.\nAudit tests disclosed that the RRB had materially overstated its performance with\nrespect to timeliness because claims had been misclassified and system generated\n\n\n1\n \xe2\x80\x9cFiscal Year 2005 Evaluation of Information Security at the Railroad Retirement Board,\xe2\x80\x9d OIG Report\n#05-11, September 28, 2005\n\n\n\n\n844 N RUSH STREET CHICAGO IL 60611-2092                                 Printed on recycled paper with soy ink\n\x0cLetter to Management                                                                       Page 4\n\n\ndata did not include all processing time. 2 As a result, the agency has withdrawn\nprior-year performance information for those two indicators and qualified its\npresentation of current-year performance. Inaccuracies in other performance\nindicators may have occurred and not been detected or disclosed to users of the\ninformation.\n\nIn response to the OIG\xe2\x80\x99s initial findings, the RRB implemented a management\nattestation process to clarify responsibility for performance data; however, that\ninitiative did not adequately ensure that data would be verified or supporting\ndocumentation retained.\n\n    1. We recommend that the RRB ensure that the internal control process for\n       performance indicators includes validation of data and retention of supporting\n       documentation.\n\n\nActuarial Projection Process\n\nThe RRB needs to strengthen controls over the actuarial projection process that\nsupports the projections and estimates presented in the statement of social\ninsurance and related disclosures which are published with the agency\xe2\x80\x99s financial\nstatements as required supplementary stewardship information.\n\nDuring FY 2005, the OIG performed a detailed evaluation of controls over the\nactuarial projection process that disclosed inadequacies in internal control over the\nprojections and related reports. 3 Although responsible management and staff have\ndescribed extensive controls over the preparation of projections, estimates and\nreports, they have not formalized their policies and procedures, do not capture\nevidence of the operation of controls and do not perform periodic evaluations of\ncompliance with internal requirements.\n\nImplementation of prior OIG recommendations for corrective action is pending.\n\nReportable Conditions\n\nControls Over Compliance with the Prompt Payment Act\n\nThe RRB needs to strengthen controls to ensure compliance with the Prompt\nPayment Act.\n\nDuring FY 2005, the OIG performed a detailed evaluation of controls over\ncompliance with the Prompt Payment Act and concluded that existing systems and\n2\n \xe2\x80\x9cReview of Customer Service Performance Measures For Timeliness of Initial Railroad\nRetirement Annuity Payments,\xe2\x80\x9d OIG Report #05-05, May 17, 2005\n3\n  \xe2\x80\x9cReview of Internal Control Over the Actuarial Projection Process,\xe2\x80\x9d OIG Report #05-04, May 5, 2005\n\x0cLetter to Management                                                                 Page 5\n\n\nprocedures had not been effective in ensuring that interest is paid to vendors in\naccordance with the requirements. 4 The RRB does not identify all invoices on\nwhich interest should be paid and does not pay the correct amount of interest\nwhen a late payment is recognized. In addition, controls are not adequate to\nensure that required restrictions on early payment have been properly\nimplemented.\n\nMany of the problems identified by our audit had been reported repeatedly in the\nagency\xe2\x80\x99s internal assessments of Prompt Payment Act compliance; however,\nthat process was not adequate to disclose the overall impact of errors or effect\nchanges in agency performance.\n\nImplementation of prior OIG recommendations for corrective action is pending.\n\nAccounting for Leases\n\nThe RRB does not have adequate controls to ensure that leases are properly\nclassified, justified and reported. Existing procedures do not include formal\nevaluation and documentation of pre-contract review to identify capital leases\nand ensure their proper recording and reporting. As a result, capital leases may\nnot be treated in compliance with established requirements for budgetary and\nproprietary accounting.\n\nDuring our review, we questioned the classification of an agency lease for a\nmainframe computer processor that was being expensed as an operating lease\nrather than capitalized. We were advised that existing agency documentation\nwould not support a response and additional research would be required. Capital\nleases are treated differently than operating leases for both budgetary and\nproprietary accounting.\n\nWe recommend that the Division of Acquisitions Management:\n\n      2. implement a pre-contract review process to document agency justification,\n         classification and financial reporting determination for lease agreements.\n      3. complete its review of the lease questioned by the audit to determine\n         whether it is a capital or operating lease and the effect of that determination\n         on the accounting and reporting of that lease.\n\n\n\n\n4\n    Review of Compliance with the Prompt Payment Act,\xe2\x80\x9d OIG Report #05-06, June 15, 2005\n\x0cLetter to Management                                                             Page 6\n\n\nOTHER MATTERS INVOLVING INTERNAL CONTROL\n\nComputation of Prompt Payment Act Interest\n\nThe Federal Financial System (FFS) is using incorrect interest rates to compute\ninterest under the Prompt Payment Act.\n\n   4. We recommend that the Bureau of Fiscal Operations (BFO) implement\n      procedural and/or programming changes to ensure that the proper interest\n      rates are used.\n\n\nSeparation of Duties\n\nThe Office of Programs has not provided for adequate separation of duties and\nsupervisory review of taxes withheld from benefit payments. A single individual is\nresponsible for identifying periodic withholding, calculating a grand total, entering the\ndetails of the transaction to the electronic payment system, and authorizing the\ntransfer of funds.\n\nFor calendar year 2003, the RRB paid the U.S. Treasury approximately $1 million\nmore in taxes than was actually withheld from benefit payments. The incorrect fund\ntransfers were self-authorized by the individual entering the data.\n\n   5. We recommend that the Office of Programs take action to ensure proper\n      separation of duties and supervisory review of tax transfer transactions.\n\nPending Tax Credits Not Recorded Timely\n\nFor calendar year 2003, the RRB paid the U.S. Treasury approximately $1 million\nmore than was actually withheld in taxes from individuals. At least $800,000 of the\noverpayment was made in August of 2003. The RRB filed for a credit in March\n2004 which was subsequently used to reduce the amount of taxes paid in\nDecember 2004.\n\nThe Office of Programs, which is responsible for processing these transactions, did\nnot advise BFO of the pending credit until it had been used. As a result, the\nagency\xe2\x80\x99s FY 2004 financial statements understated the related receivables and\noverstated benefit expense.\n\n   6. We recommend that the Office of Programs establish a procedure for the\n      timely communication of overpayments and underpayments to BFO.\n\n\nValidation and Reconciliation of Personnel Record Changes\n\x0cLetter to Management                                                        Page 7\n\n\n\nRRB employee personnel records are maintained in the General Services\nAdministration (GSA) payroll system. Bureau of Human Resources (HR) regularly\nupdates employee records for various reasons such as step increases, promotions,\nand other personnel actions. Employees can also update selected data in their\npersonnel records. The GSA system provides HR with reports documenting the\nrecord changes or suspected errors. In response to these reports, HR validates the\nchanges or corrects the errors.\n\nHR has not formalized its procedures for validating or correcting changes to\nemployee personnel records. In addition, HR does not retain copies of the reports\nprovided by GSA and does not retain documentation to support actions taken by HR\nin response\n\nWe recommend that HR:\n\n   7. develop written procedures to document their investigation procedures, and\n   8. maintain records of the exceptions and results of investigation and\n      reconciliation.\n\x0cLetter to Management                                                            Page 8\n\n\n\nVerification of Department of Labor Transfers\n\nThe RRB records funds transferred from the Department of Labor\xe2\x80\x99s (DOL)\nUnemployment Trust Fund without confirming the actual receipt of these funds in\nRRB accounts.\n\nAlthough BFO confirms the transfers-out from the DOL\xe2\x80\x99s Unemployment Trust\nFund, the systems consulted indicate only that a transfer was made from DOL but\ndo not indicate the account receiving the funds. As a result, identification of errors\nor discrepancies would be delayed until disclosed during the cash reconciliation\nprocess.\n\n   9. We recommend that the RRB confirm the receipt of transfers from the DOL\xe2\x80\x99s\n      Unemployment Trust Fund in the proper RRB accounts soon after the\n      transfer occurs.\n\n\nMANAGEMENT\xe2\x80\x99S RESPONSE\n\nManagement has agreed to review our findings and recommendations and will\nadvise the OIG of their planned actions through the regular audit follow-up\nprocess.\n\x0c'